[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Mon Jan 16 14:25:35 CET 2017 

On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> >> Hi Varun,
>> >> >>
>> >> >> we have customers who have successfully been running up to 60k
>> >> >> concurrent tunnels. In order to maximize performance please have
>> >> >> a look at the use of hash tables for IKE_SA lookup
>> >> >>
>> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >> >>
>> >> >> as well as job priority management
>> >> >>
>> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >> >>
>> >> >> We also recommend to use file-based logging since writing to syslog
>> >> >> extremely slows down the charon daemon
>> >> >>
>> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur
>> >> >>    ati
>> >> >>    on
>> >> >>
>> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> >> maximum performance.
>> >> >>
>> >> >> ESP throughput is limited by the number of available cores and the
>> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >> >>
>> >> >> Best regards
>> >> >>
>> >> >> Andreas
>> >> >>
>> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> >> > Hi,
>> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> >> >> > am new to strongSwan and to VPN in general.
>> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> >> > Though I have read that strongSwan supports scalability, I couldn't
>> >> >> > find stats to support it.
>> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>> >> >> > support
>> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers
>> >> >> > to
>> >> >> > obtain this kind of information.
>> >> >
>> >> > hi,
>> >> >
>> >> > I think further scaling might be possible with loadbalancers. But this
>> >> > is
>> >> > topic of deeper investigation of the project.
>> >> >
>> >> > Mit freundlichen Grüßen,
>> >> >
>> >> > Michael Schwartzkopff
>> >> >
>> >> > --
>> >> > [*] sys4 AG
>> >> >
>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >
>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users at lists.strongswan.org
>> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >>
>> >> Thanks Michael,
>> >> I was just searching whether load balancing is supported by strongSwan
>> >> or not. Came across this thread:
>> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>> >>
>> >> But this didn't lead to any conclusion.
>> >> So is load balancing supported by strongSwan?
>> >
>> > if you use LVS before the VPN server does not know about the load
>> > balancing. You would have to find a solution for the reverse traffic,
>> > i.e. IP pools on the VPN server.
>> >
>> > LVS offers a feature to do loadbalancing with firewall marks. This might
>> > be
>> > nescessary for balancing IKE and ESP together.
>> >
>> > I don't know if a SA sync between strongswan servers is possible.
>> >
>> > But anyway: This setup shold be designed and tested very carefully.
>> >
>> >
>> > Mit freundlichen Grüßen,
>> >
>> > Michael Schwartzkopff
>> >
>> > --
>> > [*] sys4 AG
>> >
>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> > Schleißheimer Straße 26/MG, 80333 München
>> >
>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> "You would have to find a solution for the reverse traffic, i.e. IP pools on
>> the VPN server."
>> -> This is what I am mainly concerned about. There is something called
>> clusterIP. I need to figure out what it is and how can I use it for
>> load balancing.
>>
>>
>> "I don't know if a SA sync between strongswan servers is possible."
>> -> I guess this will be needed if server_1 fails and the user should
>> automatically be switched to server_2. Is that right?
>
> these questions depend on your concept / design / inplementation.
>
> if you can afford a little downtime, DPD could be an option for you.
>
>
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

My objective is mainly scalability. So if 1 instance can support 60k
concurrent connections and I expect 100k connections. Then I can
deploy 2 instances. Am I on the right track?

-- 
Regards,
Varun Singh
Sr. Software Engineer | m: +91 20 4671 2290 |
Great Software Laboratory
------------------------------------------------------------------------------

More information about the Users mailing list